Uploaded image for project: 'Compass '
  1. Compass
  2. COMPASS-7386

Migrate to the New Signing Service

    XMLWordPrintableJSON

Details

    • Icon: Task Task
    • Resolution: Duplicate
    • Icon: Minor - P4 Minor - P4
    • No version
    • None
    • None
    • None
    • Not Needed
    • Iteration Scutellosaurus

    Description

      We’ve recently completed migrating MongoDB’s internal signing platform to a new vendor, Garasign. Up until now teams have been using an internally-built signing solution just called “Notary Service”. The Notary Service was convenient for a lot of things, but as new security requirements have come up and technology has moved on (Notary was written in Python 2!), we decided to move to a Hardware Security Module (HSM)-backed platform that integrates with native signing tools like Windows Signtool, JSign, and Osslsigncode (Windows Portable Executables or MSIs) or GPG (RPMs, detached PGP signatures, Git tags). As a note, the MacOS Notary Service will continue to be a separate offering unrelated to this migration.

      For your projects, this means that we’re asking teams to migrate from the current custom tooling to the new, more general tooling which can transparently sign artifacts via the cloud HSM. As a tentative, soft deadline, we’d like to consider turning off access to the old Notary Service by early FY24 Q4. If you don’t believe this is enough time for your project to migrate, please reach out to us in #devprod-release-tools and we can look into what accommodations we need to make on a case-by-case basis.

      We currently provide container images which contain the necessary binaries for signing in order to more tightly control dependencies, but we are open to discussion on alternative setups if this cannot meet your needs. We have created a comprehensive wiki page describing how to use the new tooling, and can answer any questions or assist in debugging as needed. Additionally, all Server release branches have already been migrated as an example you can use.

      Please feel free to reach out over email or in #devprod-release-tools with any questions, comments or concerns!

      We see the legacy notary service being used in places like https://github.com/mongodb-js/compass/blob/dee79541f8ceacc82322c4ce2ee204bd5c5f149d/packages/notary-service-client/lib/index.js#L2

      Attachments

        Activity

          People

            Unassigned Unassigned
            zakhar.kleyman@mongodb.com Zakhar Kleyman
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: